The North Korean state-sponsored group Kimsuky has added an unconventional tool to its offensive playbook: abusing Visual Studio Code's built-in remote tunnel feature to gain persistent access to compromised systems. The tactic, disclosed by The Hacker News on 28 May, is part of a broader campaign that targeted South Korean military and corporate organisations throughout March and April 2026.
Novel abuse of developer tooling
VS Code's remote tunnel capability allows developers to connect to a machine from anywhere and interact with it through a full IDE session. Kimsuky exploited this legitimate feature to maintain covert access on systems it had already infiltrated, effectively hiding inside trusted developer software. Because the traffic travels over Microsoft's infrastructure and the tool is widely used in enterprise environments, the activity is harder to flag as malicious compared with traditional remote access trojans.
This approach fits into a broader trend of adversaries "living off the land" — weaponising legitimate software and operating-system features rather than deploying custom malware that security products are more likely to detect. The tactic also mirrors a wider pattern of state-sponsored groups targeting developer ecosystems, from trojanised npm packages to compromises of CI/CD pipelines, signalling a strategic shift toward exploiting the software development lifecycle as an attack surface.
New malware families expand the toolkit
Alongside the VS Code tunnelling technique, researchers linked the campaign to two previously unreported malware families. HTTPSpy is a reconnaissance tool designed to harvest system information and relay it back to Kimsuky's command-and-control infrastructure. HelloDoor, meanwhile, focuses on enabling further lateral movement within compromised networks.
These additions sit alongside the group's established social engineering playbook. During the March-to-April campaign, Kimsuky crafted convincing lures including spoofed pages mimicking security software installation prompts and a fraudulent Webex meeting portal, both designed to trick victims into executing malicious payloads.
Why it matters
Kimsuky, also tracked under the alias Velvet Chollima, has long been one of the most active North Korean cyber-espionage units. Its primary targets remain South Korean government agencies, defence organisations, and companies involved in strategic industries, though the group has also been observed pursuing intelligence gathering against entities in Japan, the United States, and Europe.
The pivot toward abusing developer-oriented tooling like VS Code tunnels signals a maturing operational tradecraft. It reflects a deliberate effort to blend malicious activity into the normal workflows of software development teams, making detection significantly more challenging for security operations centres that rely on behavioural or signature-based alerts.
Practical defender checklist
For security teams concerned about similar tactics, three immediate priorities stand out:
- Audit developer tooling usage. Monitor for unexpected VS Code remote tunnel installations or connections, particularly on endpoints that are not part of standard development workflows. Restrict tunnel creation to authorised accounts and machines.
- Harden authentication and access workflows. Enforce multi-factor authentication on all remote access channels and review identity governance around legitimate remote-access features in widely deployed enterprise software.
- Track evolving APT tooling. Stay current on threat intelligence reporting from sources like The Hacker News and vendor research teams. Kimsuky's rapid adoption of new malware families and novel living-off-the-land techniques means that detection rules and indicators of compromise need frequent updating.
As state-sponsored groups continue to blur the line between legitimate software use and malicious access, organisations of all sizes should treat developer tooling as a potential attack surface — not just a productivity feature.
北韓國家支持的駭客組織Kimsuky,在其攻擊手法中加入了一項非傳統工具:濫用Visual Studio Code內建的遠程隧道功能,以持續存取已入侵的系統。這項戰術於5月28日由The Hacker News披露,屬於一場更廣泛攻擊行動的一部分,該行動在2026年3月至4月期間,瞄準了南韓的軍事及企業組織。
開發工具的新穎濫用方式
VS Code的遠程隧道功能允許開發者從任何地方連接到一台機器,並透過完整的IDE環境與之互動。Kimsuky利用這項合法功能,在已滲透的系統上維持隱蔽存取,有效地藏匿於受信任的開發軟件之中。由於相關流量經由微軟的基礎設施傳輸,且該工具在企業環境中廣泛使用,因此與傳統的遠程存取木馬相比,這類活動更難被標記為惡意。
這種手法符合敵對勢力「就地取材」的更廣泛趨勢——即武器化合法軟件及作業系統功能,而非部署更可能被安全產品偵測的自訂惡意軟件。此戰術也反映出國家支持組織瞄準開發者生態系統的更廣泛模式,從被木馬化的npm套件到CI/CD管道的入侵皆是如此,這標誌著一種戰略轉向,即將軟件開發生命週期作為攻擊面加以利用。
新惡意軟件家族擴充工具庫
除了VS Code隧道技術外,研究人員將該攻擊行動與兩個先前未報告的惡意軟件家族聯繫起來。HTTPSpy是一種偵察工具,旨在收集系統資訊並將其回傳至Kimsuky的指揮與控制基礎設施。而HelloDoor則專注於在已入侵的網絡內實現進一步的橫向移動。
這些新增工具與該組織既有的社會工程策略並存。在3月至4月的攻擊行動期間,Kimsuky精心設計了具有說服力的誘餌,包括偽造的安全軟件安裝提示頁面以及虛假的Webex會議入口網站,兩者均旨在誘騙受害者執行惡意payload。
為何此事重要
Kimsuky(亦被追蹤為別名Velvet Chollima)長期以來一直是北韓最活躍的網絡間諜單位之一。其主要目標仍是南韓政府機構、國防組織以及涉及戰略產業的公司,但該組織亦曾被觀察到針對日本、美國及歐洲的實體進行情報蒐集。
此次轉向濫用如VS Code隧道等面向開發者的工具,標誌著其操作戰術的成熟。這反映出其將惡意活動刻意融入軟件開發團隊正常工作流程的努力,使得依賴行為或特徵碼警報的安全營運中心更難進行偵測。
實用的防禦者檢查清單
對於關注類似戰術的安全團隊,有三個立即優先事項應予重視:
- 審計開發工具使用情況。 監控意料之外的VS Code遠程隧道安裝或連接,特別是在非標準開發工作流程端點上。將隧道的建立限制於授權的帳戶及機器。
- 強化身份驗證與存取工作流程。 在所有遠程存取管道強制實施多因素身份驗證,並審查圍繞企業中廣泛部署的合法遠程存取功能的身份治理。
- 追蹤不斷演進的APT工具。 持續關注來自The Hacker News及廠商研究團隊等來源的威脅情報報告。Kimsuky對新惡意軟件家族及新穎「就地取材」技術的快速採用,意味著偵測規則及入侵指標需要頻繁更新。
隨著國家支持的組織持續模糊合法軟件使用與惡意存取之間的界線,所有規模的組織都應將開發工具視為潛在的攻擊面——而非僅僅是一項生產力功能。